Cybersecurity: Are Software Developers the Achilles’ Heel?

IT - key to cybersecurityBy Rhonda Chicone, School of Business and Information Technology

The Software Lay of the Land

No one can dispute that software is everywhere; just pick up your smartphone and take a look at the applications you have installed. Some reports suggest that by 2017, there will be more smartphones in the world than people. Yet smartphones are old news. These days we’re hearing a lot about the  “Internet of Things” (IoT), which includes embedded software systems that control wearables (a Fitbit or Apple Watch, for example), software that controls machines that talk to other machines, and smart sensors that are making household environments intelligent and responsive. The smartphone and IoT widgets are great, and software is what makes them come alive. The demand for highly skilled software developers will continue to rise, as software will be in virtually everything as we move forward as a society; it can’t be stopped. Our world is now connected and technology has been integrated into our lives. 

An Example of What Could Go Wrong 

Go back to your smartphone. Do you happen to have a banking application on it? If not, let us imagine you do. Imagine a scenario where the banking application has a flaw (otherwise known as a bug) that is not detected by the end user (you). In cybersecurity terms, there are certain types of bugs that expose a software application weakness or vulnerability. These types of software vulnerabilities are typically caused by the software developer doing something wrong when he or she is coding the software application. Certain types of software vulnerabilities can cause major harm. People are targeted every single day. For example, ZeuS, a well-known banking malware (malicious software), was originally discovered in 2007 and targeted Microsoft Windows–based computers. Several variants have appeared since then, including Zitmo, which takes aim at mobile users (Maslennikov, 2011).

Let us get back to your banking software application. Cybercriminals love software applications that have weaknesses or vulnerabilities. They are motivated to take advantage or exploit the vulnerabilities and to cause harm. Here is an example: a cybercriminal tricks your smartphone into thinking it is communicating with a trusted company’s server or computer; the trusted server thinks it is communicating with you. Instead, the cybercriminal sits between you and your bank and eavesdrops on your network traffic. You wouldn’t know the cybercriminal was monitoring your transactions until it is too late. In the cybersecurity domain this is called a man-in-the-middle attack (MITM).

Those of you who are technically savvy may be saying, “What about SSL or TLS?” Secure Sockets Layer (SSL) and Transport Security Layer (TLS) are cryptographic software protocols that secure information traveling over a computer network (remember the Internet is a gigantic network of computers). To use SSL/ TLS correctly, organizations (or individuals) purchase a certificate from a Certificate Authority (CA). In this example, your bank would purchase the SSL/TLS certificate from a CA, and it would be installed and configured on your bank’s web server (the web server is a software application that resides on a physical server/computer). When you browse to a website and ‘https’ is used in the web address ( (or you see the little lock icon) the “s” means that your bank uses SSL/TLS. Popular browsers like Chrome, Firefox, Safari, Internet Explorer, etc., are software applications that use SSL/TLS certificates correctly. 

One of the first steps in using SSL/TLS correctly is to validate the certificate to be sure that the CA digitally signed it, as that means it can be trusted. The banking software application that you have been using on your smartphone also uses only trusted certificates in a similar way to your web browser. Now imagine if the certificate was not validated correctly in the banking software application. This would mean your banking information (username, password) is traveling over the Internet unprotected.

A vulnerability, such as not validating a good certificate or trusting a bad certificate, could be caused by poor software development or software testing procedures. In 2014, a cybersecurity researcher at the Software Engineering Institute’s CERT Coordination Center (CERT/CC) created an open source tool (a set of existing software applications packaged together and made available to the public) to help detect MITM vulnerabilities like the one in the banking software application example. The researcher automated the software system and tested 1 million applications and found 23,000+ Android software applications didn’t validate the SSL/TLS certificate correctly (Dormann, 2015).

What Can We Do to Reduce Cybercrime? 

Software is everywhere; we live in an interconnected world. It is important that software developers adopt a security-first mindset. Secure software development practices existed long before we had the World Wide Web, the smartphone, and the IoT. 

Along the way these practices were forgotten in favor of profitability, "release early, release often" philosophy, a “good enough” attitude, a new generation of developers slapping code on existing frameworks they don’t understand, exponential growth of computing power, outsourcing, etc. There are too many reasons to list. However, in the banking software application example, I argue that if the software developer simply used basic error checking techniques, the vulnerability would not exist to be exploited by a cybercriminal. If these types of vulnerabilities were reduced, then cybercrime could be reduced as well. So, are software developers the Achilles’ heel in the cybersecurity domain? I’ll leave that up to you to answer.


Dormann, W. (2015, August 21).  Announcing CERT Tapioca for MITM Analysis. Message posted to 

Maslennikov, D. (2011). ZeuS-in-the-Mobile – Facts and Theories. Retrieved from